Access other subnets connected through IPSec tunnels from a VPN client

At site A, I have a SA520W with site-to-site connections to sites B, C, D and E. From within the office I can ping all of the remote subnets. Using the Cisco VPN client and connecting to the router at site A, I would like to be able to access the subnets from B, C, D and E. Can this be done by adding additional VPN polices for the IPSec client?

Share:

Replies

I have tried adding static routes on both the client and router but have not had success. Is this a configuration issue or a device limitation? The dynamically assigned IP addresses on the SA520W under the VPN configuration cannot be associated with a VLAN.

Don't think IPSec is going to work for you as you're hoping. You can try SSL/Vpn since SSL vpn we can add client routes for the IPSec vpn connection. This is really what you are needing to do. When the vpn connection connects it's needs to be able add routes to the other subnet's. SSL/Vpn is the only split-tunneling cable of adding route information to remote user connections.

Is this a limitation on the SA520W? When I connect with the IPSec client and observe the secured routes I see the local subnet 10.10.0.0 and there is also 192.168.25.0 (this is the default VLAN assigned to the cisco-quest wireless network). How is that route being published to the IPSec client?

Jason is right SSL VPN will work and has been tested, but I do think IPsec should work as well we have just not tested this function as of yet. What is the tunnel configuration look like for the site to site tunnels?

Would enabling RIP v2 help out in this scenario to advertise/publish the routes to the other networks through the remote access connection? I also have a layer 3 Cisco SF300-24 switch that sits behind the SA520W.

RIP as well as other routing protocols uses multicast traffic to populate its routing table. Without a GRE tunnel or some type of virtual interface the routing traffic will not cross the IPSec tunnel.

It looks like it’s been a while since this thread was looked at. If you would like I would be happy to dive into it a bit deeper to give you a definitive answer on whether or not this can be done on the SA500’s. I will be out of the office until Friday but I will definitely take a look at it when I get back.

I have been unable thus far to successfully get this working with just the IPSec VPN. Based on my testing so far I do not see any evidence to believe that this is possible with the SA5XX via IPSec alone.